[Fedora-directory-users] boot time startup requires password
Kevin Myer
kevin_myer at iu13.org
Fri Jul 8 15:51:48 UTC 2005
Quoting Brian Jones <bkjones at gmail.com>:
> Thanks, Kevin.
>
> Can I make a feature request to whoever sees this that is way better
> at Java/C than me to at least make the stored password crypted in
> something stronger than rot13?
Just my opinion, but its kind of moot what format its stored in, as
long as its
a reversible cipher. An attacker need only see the ciphertext. Obscurity
provides only one thing - it raises the bar to actually use the password, in
that it requires an attacker to do a minimal amount of work to figure out what
the plaintext is. If the server daemon can use a reversible process to obtain
plaintext, then so can the attacker and they need to do that work
first, before
they can just type it in. So the note in the documentation about not using
this mechanism for storing passwords on an unsecured system is
definitely to be
heeded.
I've seen a number of debates about the merits of obscuring passwords in other
contexts - in one case, the decision was apparently made that it wasn't even
worth the hassle to obscure the password and it was echoed onto the screen of
the browser, since in theory, only administrators could access that
screen. I'd be interested to see what others think about obscuring the
admin password.
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
More information about the 389-users
mailing list